Sensitive Information Exposure in OpenStack Compute (Nova) by Vendor OpenStack
CVE-2015-8749

5.9MEDIUM

Key Information:

Vendor
Openstack
Status
Nova
Vendor
CVE Published:
15 January 2016

Summary

The volume_utils._parse_volume_info function in OpenStack Compute (Nova) prior to version 2015.1.3 and 12.0.x before 12.0.1 may expose sensitive connection information. When using the Xen backend, the connection_info dictionary is included in the StorageError messages, potentially allowing attackers to extract password information through log file access or other unnamed methods. This exposure poses significant privacy risks to users and systems relying on secure cloud operations.

References

http://www.openwall.com/lists/oss-security/2016/01/07/9
mailing-listx_refsource_MLIST
http://www.securityfocus.com/bid/80189
vdb-entryx_refsource_BID
https://security.openstack.org/ossa/OSSA-2016-002.html
x_refsource_CONFIRM

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.